How KFSensor works

KFSensor is an Intrusion Detection System. It performs this role by opening ports on the machine it is installed on and waiting for connections to be made to those ports. It does this in exactly the same way as conventional server software, such as a web server or an SMTP server. By doing this it sets up a target, or a honeypot server, that will record the actions of a hacker.

KFSensor is flexible and highly configurable.

There are several components of the KFSensor system:

KFSensor Server

The KFSensor Server provides the core functionality of the KFSensor system. It listens to both TCP and UDP ports on the server machine and interacts with visitors and generates events.
The KFSensor Server has no user interface and runs in the background.

KFSensor Monitor

The KFSensor Monitor contains the user interface of the KFSensor system. Using it you can configure the KFSensor Server and monitor the events generated by the KFSensor Server.

KFSensor Collator

The KFSensor Collator is an application which runs without a user interface as a Windows system service.
It provides the core functionality of the Enterprise Edition.

  • Collects events and status updates from remote sensors into a central database.
  • Generates alerts from a single central location.
  • Distributes centrally defined updates to signatures and visitor rules to remote sensors.

KFSensor Report Server

The KFSensor Report Server provides the reports functionality. It queries the log database and acts as a HTTP server to provide the data and files for the KFSensor web based reports.

Next: KFSensor terms

KFSensor On-Line Manual Contents